Could I answer that, because some information might be of use?
The Privacy Commissioner currently has a set of standards or policies with respect to disclosure of the name of a company that's breached the act. First of all, she does not normally disclose the name immediately because she wants to use that power with discretion and ask the company to correct what it's doing, change the way they're doing things, do better. If they comply with what they're being asked to do, fine, she will be satisfied, but if they don't, she has the authority to release their name publicly. I can tell you that is a huge power, because no one wants to shake the confidence of their customers in how they protect private information.
As you've suggested, if a company keeps breaching the act, the commissioner could certainly release it. The other time she has said she will release it, as her predecessor said as well, is if there were ongoing harm. If something were happening and the public needed to know right away so they could protect themselves, then she would release the name. There is a process in place as to when the name is released and under what circumstances.